The PostgreSQL Global Development Group today released security updates for all active branches of the PostgreSQL object-relational database system, including versions 9.1.3, 9.0.7, 8.4.11 and 8.3.18.

Users of pg_dump, users of SSL certificates for validation or users of triggers using SECURITY DEFINER should upgrade their installations immediately. All other database administrators are urged to upgrade your version of PostgreSQL at the next scheduled downtime. More details on the security fixes are included below.

Features affected by bug fixes in this update include: binary replication and hot standby, GIN, WITH, foreign data wrappers, PL/pgsql, PL/python, inet datatype, intarray, pgcrypto, pg_upgrade, pg_restore and pg_dump. Users of these features should apply the updates as soon as possible.

This release contains 45 fixes to version 9.1, and a smaller number of fixes to older versions, including:

As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shut down PostgreSQL and update its binaries. Perform post-update steps after the database is restarted.

This update includes three security fixes for the following issues:

CVE-2012-0866: Permissions on a function called by a trigger are not checked.

This fix prevents users from defining triggers which execute functions on which the user does not have EXECUTE permission.

CREATE TRIGGER failed to make any permissions check on the trigger function to be called. An unprivileged database user could attach a trigger function to a table they owned and cause it to be called on data of their choosing. Normally, this would execute with the permissions of a table owner, and thus not give additional capability. However, if a trigger function is marked SECURITY DEFINER, privilege escalation is possible.

CVE-2012-0867: SSL certificate name checks are truncated to 32 characters, allowing connection spoofing under some circumstances.

This fixes SSL common name truncation, which could allow hijacking of an SSL connection under exceptional circumstances.

When using SSL certificates, both clients and servers can be configured to verify the other's host name against the common name in the certificate it presents. However, the name extracted from the certificate was incorrectly truncated to 32 characters. Normally that just results in a verification failure, but if the actual host name of a machine is exactly 32 characters long, it could, in principle, be spoofed. The risk of this actually happening appears unlikely, and an attacker would still need to take additional steps outside of PostgreSQL to succeed with an exploit.

CVE-2012-0868: Line breaks in object names can be exploited to execute code when loading a pg_dump file.

This fix removes 'n' and 'r' from dumpfile comments.

pg_dump copied object names into comments in a SQL script without sanitizing them. An object name that includes a newline followed by an SQL command would result in a dump script in which the SQL command is exposed for execution. When and if the dump script is reloaded, the command would be executed with the privileges of whoever is running the script - often a superuser.

All supported versions of PostgreSQL are affected. See the release notes for each version for a full list of changes with details of the fixes and steps.

Microsoft Windows, Storage, Applications: anywhere, anytime, on any deviceMobile World Congress 2012, Barcelona, Spain and London, UK - February 27th, 2012 - nivio, hot on the heels of its US launch, today announced the beta launch of its European service that brings Windows to all your favorite connected devices. Through nivio, users have access to the nApps Store where they can rent applications, such as the complete Microsoft productivity suite, and take advantage of 10GB...
Source: RealWire

BARCELONA, SPAIN (Marketwire) - NVIDIA today announced that its NVIDIA(R) Tegra(R) 3 mobile processor, the world's only 4-PLUS-1(TM) quad-core processor, is powering the new HTC One(TM) X unveiled at Mobile World Congress. The smartphone represents the first collaboration between the two companies.

Miranda IM is a multi-protocol instant messaging client for Windows. Very light on system resources and extremely fast, Miranda IM requires no installation and can be made to fit on a single floppy disk or USB drive. Featuring a powerful plugin-based framework and boasting over 350 plugins, Miranda IM is one of the most flexible and customisable messaging clients on the planet. Miranda includes support for AIM (AOL Instant Messenger), Facebook (See instructions), Gadu-Gadu, IAX (Inter-Asterisk Exchange), ICQ, IRC (Internet Relay Chat), Jabber, MSN, Netsend, Tlen, Yahoo, and more.

Mozilla Firefox is a fast, full-featured browser for Windows that makes browsing more efficient than ever before. Firefox includes popup blocking; a tab-browsing mode that lets you open several pages in a single window; integrated Google searching; simplified privacy controls that let you cover your tracks more effectively; a streamlined browser window that shows you more of the page than any other browser; and a number of additional features that work with you to help you get the most out of your time online.

Beyond Compare allows you to quickly and easily compare your files and folders. By using simple, powerful commands you can focus on the differences you're interested in and ignore those you're not. You can then merge the changes, synchronize your files, and generate reports for your records.

The PHP development team would like to announce the 8th release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site. THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION! . This is the 8th release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. No new features should be included before the final version of PHP 5.4.0. The 7th and 8th release candidates focus on fixing critical bugs and security vulnerabilities, including: A buffer overflow in htmlspecialchars() and htmlentities() (bug #60965). Improving the max_input_vars configuration directive to check nested variables. A complete list of changes since the last release candidate can be found in the NEWS file. We've received a lot of feedback that has helped to improve the upcoming release of PHP 5.4.0. Please continue to help us to identify bugs in order to ensure that the release is solid and all things behave as expected by taking the time to test this release candidate against your code base and reporting any problems that you encounter to the QA mailing list and/or the PHP bug tracker. The next release candidate will be released on March 1.